From 0d7a4fbf959a1c522350786e83df580476bf5642 Mon Sep 17 00:00:00 2001
From: "mkanat%kerio.com" <>
Date: Fri, 8 Jul 2005 12:29:14 +0000
Subject: Bug 293159: [SECURITY] Anyone can change flags and access bug
 summaries due to a bad check in Flag::validate() and Flag::modify() Patch By
 Frederic Buclin <LpSolit@gmail.com> r=myk, a=justdave

---
 attachment.cgi | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'attachment.cgi')

diff --git a/attachment.cgi b/attachment.cgi
index 0c010a061..e4cbe8eed 100755
--- a/attachment.cgi
+++ b/attachment.cgi
@@ -913,8 +913,11 @@ sub insert
         $vars->{'message'} = 'user_match_multiple';
     }
 
-    Bugzilla::Flag::validate($cgi, $bugid);
-    Bugzilla::FlagType::validate($cgi, $bugid, $cgi->param('id'));
+    # Flag::validate() should not detect any reference to existing
+    # flags when creating a new attachment. Setting the third param
+    # to -1 will force this function to check this point.
+    Bugzilla::Flag::validate($cgi, $bugid, -1);
+    Bugzilla::FlagType::validate($cgi, $bugid);
 
     # Escape characters in strings that will be used in SQL statements.
     my $sql_filename = SqlQuote($filename);
@@ -1148,7 +1151,7 @@ sub update
     Bugzilla::User::match_field($cgi, {
         '^requestee(_type)?-(\d+)$' => { 'type' => 'single' }
     });
-    Bugzilla::Flag::validate($cgi, $bugid);
+    Bugzilla::Flag::validate($cgi, $bugid, $attach_id);
     Bugzilla::FlagType::validate($cgi, $bugid, $attach_id);
 
   # Lock database tables in preparation for updating the attachment.
-- 
cgit v1.2.3-24-g4f1b